Instead of just relying on self-reported breaches of patients' data, HHS's civil rights office will be be launching a "permanent audit program" that will check compliance with patient privacy rules by not only medical providers, insurance plans, and hospitals, but also by their business associates, such as billing companies, said Rachel Seeger, OCR spokeswoman.

Wsfurlan | iStock 360 | Getty Images

"We hope to audit 350 covered entities and 50 business associates in this first go-round," Seeger said. "Selected entities will receive notification and data requests in fall 2014, with business associate audit subjects being included in 2015."

The audits and settlements are designed to spur compliance with the requirement that health-related entities and their associates secure patient information kept on mobile devices.

However, OCR's looming permanent audit system could lead to more large settlements such as the one with Concentra, whose 330 locations serve 30,000 people each day in 38 states. The company, which provides occupational medicine, urgent care, physical therapy, and wellness services, boasts of treating one-out-of-every-seven worker's compensation case victims in the U.S.

Concentra's data breaches included the thefts of two unencrypted laptops containing data about a combined 1,770 patients—one theft in 2009, and another in 2011. Seeger said Concentra also had 16 other breaches that each involved fewer than 500 individuals.

"OCR's investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information [ePHI] was at critical risk," OCR said in a prepared statement.

"While steps were taken to begin encryption, Concentra's efforts were incomplete and inconsistent over time, leaving patient PHI vulnerable throughout the organization. OCR's investigation further found Concentra had insufficient security management processes in place to safeguard patient information," the agency said.

Ross McLerran, a spokesman for Concentra's parent company Humana, said in a statement, "Since self-reporting a stolen company laptop in 2011, Concentra has worked closely with the U.S. Department of Health and Human Services Office for Civil Rights to ensure confidentiality of protected health information. We received no indication that any information on the laptop was accessed or used inappropriately. Concentra remains focused on serving the health and well-being needs of our employers and patients with the highest integrity and utmost respect."

OCR's new audit strategy also could lead to more enforcement action and settlements with entities such as Arkansas-based insurer QCA Health Plan. This month, QCA paid a $250,000 settlement with the agency after self-reporting the October 2011 theft of a laptop that contained data about just 148 patients, which an employee had left in their car under a seat.

"I've never seen anything like this in my career," Smith said. "I had never seen such an extensive investigation such as ours."

Smith said she expects that insurers, including ones who report breaches of fewer than 500 people, will face heightened scrutiny under OCR's new permanent audit program.

OCR, in a prepared statement, noted that although QCA "encrypted their devices following discovery of the breach, OCR's investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning form the compliance date of the Security Rules in April 2005 and ending in June 2012."

QCA said in its own prepared statement: "This settlement agreement is not an admission of any wrongdoing by QCA. QCA is committed to the privacy and security of its members' personal information and has strengthened safeguards to enhance the protection of their information, including encrypting all company laptops and mobile devices."